Mercurial > hg > orthanc

changeset 4381:df313e410f0c varian

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Add support to configure minimimum accepted TLS version and cipher suite
author Andrew Wallis <andrew.wallis@varian.com>>
date Fri, 11 Dec 2020 11:59:10 -0500
parents 85b5b0e1bac9
children 3aacd2bd8bbc
files OrthancFramework/Sources/HttpServer/HttpServer.cpp OrthancFramework/Sources/HttpServer/HttpServer.h OrthancServer/Resources/Configuration.json OrthancServer/Sources/main.cpp
diffstat 4 files changed, 76 insertions(+), 1 deletions(-) [+]
line wrap: on
line diff
--- a/OrthancFramework/Sources/HttpServer/HttpServer.cpp	Thu Dec 17 12:48:14 2020 +0100
+++ b/OrthancFramework/Sources/HttpServer/HttpServer.cpp	Fri Dec 11 11:59:10 2020 -0500
@@ -1631,9 +1631,16 @@
         options.push_back("ssl_ca_file");
         options.push_back(trustedClientCertificates_.c_str());
       }
-
       if (ssl_)
       {
+        // Restrict minimum SSL/TLS protocol version
+        options.push_back("ssl_protocol_version");
+        options.push_back(sslMinimumVersion_.c_str());
+
+        // Set the accepted ciphers list
+        options.push_back("ssl_cipher_list");
+        options.push_back(sslCiphers_.c_str());
+
         // Set the SSL certificate, if any
         options.push_back("ssl_certificate");
         options.push_back(certificate_.c_str());
@@ -1783,6 +1790,18 @@
 #endif
   }
 
+  void HttpServer::SetSslMinimumVersion(std::string version)
+  {
+    Stop();
+    sslMinimumVersion_ = std::move(version);
+  }
+
+  void HttpServer::SetSslCiphers(std::string ciphers)
+  {
+    Stop();
+    sslCiphers_ = std::move(ciphers);
+  }
+
   void HttpServer::SetKeepAliveEnabled(bool enabled)
   {
     Stop();
--- a/OrthancFramework/Sources/HttpServer/HttpServer.h	Thu Dec 17 12:48:14 2020 +0100
+++ b/OrthancFramework/Sources/HttpServer/HttpServer.h	Fri Dec 11 11:59:10 2020 -0500
@@ -97,6 +97,8 @@
     std::string trustedClientCertificates_;
     bool ssl_;
     std::string certificate_;
+    std::string sslMinimumVersion_;
+    std::string sslCiphers_;
     uint16_t port_;
     IIncomingHttpRequestFilter* filter_;
     bool keepAlive_;
@@ -141,6 +143,12 @@
 
     void SetSslVerifyPeers(bool enabled);
 
+    // set the minimum accepted version of SSL/TLS protocol according to the CivetWeb table published here:
+    // https://github.com/civetweb/civetweb/blob/master/docs/UserManual.md#ssl_protocol_version-0
+    void SetSslMinimumVersion(std::string version);
+
+    void SetSslCiphers(std::string ciphers);
+    
     void SetSslTrustedClientCertificates(const char* path);
 
     bool IsKeepAliveEnabled() const;
--- a/OrthancServer/Resources/Configuration.json	Thu Dec 17 12:48:14 2020 +0100
+++ b/OrthancServer/Resources/Configuration.json	Fri Dec 11 11:59:10 2020 -0500
@@ -170,6 +170,22 @@
   // if "SslEnabled" is true.
   "SslCertificate" : "certificate.pem",
 
+  // Sets the minimum accepted SSL protocol version
+  // See https://github.com/civetweb/civetweb/blob/master/docs/UserManual.md 
+  // "ssl_protocol_version" for mapping
+  // By default require SSL 1.2
+  // This option is only meaningful if "SslEnabled" is true.
+  /**
+    "SslMinimumProtocolVersion" : "4",
+  **/
+
+  // Set the allowed ciphers for SSL connections
+  // If not set, this will default to FIPS 140-2 ciphers
+  // This option is only meaningful if "SslEnabled" is true.
+  /**
+    "SslCiphersAccepted" : "",
+  **/
+
   // Whether or not peer client certificates shall be checked. This
   // option is only meaningful if "SslEnabled" is true.
   "SslVerifyPeers" : false,
--- a/OrthancServer/Sources/main.cpp	Thu Dec 17 12:48:14 2020 +0100
+++ b/OrthancServer/Sources/main.cpp	Fri Dec 11 11:59:10 2020 -0500
@@ -1043,6 +1043,38 @@
           lock.GetConfiguration().GetStringParameter("SslCertificate", "certificate.pem"));
         httpServer.SetSslEnabled(true);
         httpServer.SetSslCertificate(certificate.c_str());
+        
+        // Default to TLS 1.2 as SSL minimum
+        // See https://github.com/civetweb/civetweb/blob/master/docs/UserManual.md "ssl_protocol_version" for mapping
+        std::string tls1_2 = "4";
+        std::string minimumVersion = lock.GetConfiguration().GetStringParameter("SslMinimumProtocolVersion", tls1_2);
+        httpServer.SetSslMinimumVersion(minimumVersion);
+
+        // Default to FIPS 140-2 ciphers 
+        const std::vector<std::string> fipsCiphers = { 
+          "ECDHE-ECDSA-AES256-GCM-SHA384", 
+          "ECDHE-ECDSA-AES256-SHA384",
+          "ECDHE-RSA-AES256-GCM-SHA384", 
+          "ECDHE-RSA-AES128-GCM-SHA256", 
+          "ECDHE-RSA-AES256-SHA384",
+          "ECDHE-RSA-AES128-SHA256", 
+          "ECDHE-RSA-AES128-SHA", 
+          "ECDHE-RSA-AES256-SHA", 
+          "DHE-RSA-AES256-SHA",
+          "DHE-RSA-AES128-SHA", 
+          "AES256-SHA",
+          "AES128-SHA"};
+
+        // Format default cipher string
+        std::string defaultCipherString;
+        for (const auto &cipher : fipsCiphers)
+        {
+          defaultCipherString += cipher + ":";
+        }
+        defaultCipherString.pop_back();
+
+        std::string ciphersAccepted = lock.GetConfiguration().GetStringParameter("SslCiphersAccepted", defaultCipherString); 
+        httpServer.SetSslCiphers(ciphersAccepted);
       }
       else
       {